The Windows vulnerability, known as CVE-2024-21338, was first discovered by Avast cybersecurity researchers about six months ago. The Windows Kernel privilege escalation vulnerability was found in the Windows AppLocker driver appid.sys. It affects multiple versions of Windows 10 and Windows 11 operating systems. The vulnerability was also found in Windows Server 2019 and 2022.

Microsoft patches the vulnerability

Last year, Avast researchers notified Microsoft that this vulnerability was being used as a zero-day exploit. Since then, some of the world’s biggest and most dangerous threat actors, including the North Koreans, have been actively exploiting this vulnerability.

The Lazarus Group, a threat actor with known ties to the North Korean government, exploited the vulnerability to gain kernel-level access to vulnerable devices and disable antivirus programs.

To exploit the zero-day, Lazarus used a new version of FudModule, a custom rootkit first noticed in late 2022. In previous attacks, the rootkit exploited a Dell driver, known as a BYOVD (Bring Your Own Vulnerable Driver) attack.

Now FudModule has become more mysterious and more functional. It offers more ways to avoid detection and options to disable endpoint protection solutions.

The group apparently used it to disable products such as AhnLab V3 Endpoint Security, Windows Defender, CrowdStrike Falcon and HitmanPro antimalware solution.

As of the end of last month, there is now an official patch for this vulnerability. Microsoft released updates last week fixing the vulnerability. Details about the attackers were not shared.

“To exploit this vulnerability, an attacker would first need to log in to the system. An attacker could then run a custom-built application that could exploit the vulnerability to gain control over an affected system,” Microsoft explained.

So don’t forget to check Windows Update and make the update. What do you think? Please don’t forget to share your thoughts with us in the comments section.